[PR] [Improve][authentication] Pass the authorization when user lookup transactionCoordinator topic [pulsar]

Mon, 20 May 2024 02:35:36 -0700 


TakaHiR07 opened a new pull request, #22744:
URL: https://github.com/apache/pulsar/pull/22744

   ### Motivation
   
   As seen in the AuthenticatedTransactionProducerConsumerTest, if we enable 
authorization, and want to produce/consume to a normal topic by transaction, we 
not only need to grant permission on normal topic, but also need to  grant 
permission on system namespace.
   
   #### It looks unreasonable and very dangerous. 
   
   Normal users just want to produce/consume to a normal topic by transaction, 
but super user need to grant the whole system namespace permission to them. I 
think the reasonable way is to make normal user unable to produce/consume 
system namespace directly, instead, make them able to lookup the 
transactionCoordinator topic.  
   
   ### Modifications
   
   When do canLookupAsync(), if the topic is tc topic, pass the authorization
   
   ### Verifying this change
   
   - [ ] Make sure that the change passes the CI checks.
   
   *(Please pick either of the following options)*
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   *(or)*
   
   This change is already covered by existing tests, such as *(please describe 
tests)*.
   
   *(or)*
   
   This change added tests and can be verified as follows:
   
   *(example:)*
     - *Added integration tests for end-to-end deployment with large payloads 
(10MB)*
     - *Extended integration test for recovery after broker failure*
   
   ### Does this pull request potentially affect one of the following parts:
   
   <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
   
   *If the box was checked, please highlight the changes*
   
   - [ ] Dependencies (add or upgrade a dependency)
   - [ ] The public API
   - [ ] The schema
   - [ ] The default values of configurations
   - [ ] The threading model
   - [ ] The binary protocol
   - [ ] The REST endpoints
   - [ ] The admin CLI options
   - [ ] The metrics
   - [ ] Anything that affects deployment
   
   ### Documentation
   
   <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
   
   - [ ] `doc` <!-- Your PR contains doc changes. -->
   - [ ] `doc-required` <!-- Your PR changes impact docs and you will update 
later -->
   - [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
   - [ ] `doc-complete` <!-- Docs have been already added -->
   
   ### Matching PR in forked repository
   
   PR in forked repository: <!-- ENTER URL HERE -->
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to